G Suite, Google Apps & Gmail HIPAA-Compliant Encryption

Ensuring your G Suite email is HIPAA-compliant

Making Google Apps / G Suite HIPAA Compliant

Free Gmail is not HIPAA compliant and cannot be made HIPAA compliant.
It should never be used in any context where HIPAA compliance is required.
However, Google Apps (now called G Suite) can be HIPAA compliant if you
sign a HIPAA Business Associate agreement with Google (see how). However,
Google does not actually include email encryption with G Suite; they do
not even sell email encryption.

If you want to stick with G Suite and not migrate to an email provider
that specializes in HIPAA-compliant
email, the only solution is to purchase outbound HIPAA-compliant email
encryption through a specialized third-party, such as LuxSci, and configure G Suite such
that all of your outbound email messages are relayed (smart hosted) through
LuxSci for encryption before being sent off to their recipients.

With
"smart hosting" you will keep using your G-Suite email as you do now. You'll
receive emails in your inbox just as you currently do; you'll send email
just as you currently do; and you won't need to change settings on any of
your devices or email clients. What changes is that the messages will be
relayed to LuxSci email servers to deliver to the recipients. In so doing
the emails will be encrypted with SecureLineTM and made HIPAA compliant.

To use LuxSci or smart host encryption of your your G Suite outbound email, you would:

Setup your LuxSci account so that all of your users and domains are created. There needs to be a one-to-one
relationship between users in LuxSci and users in G Suite, for tracking, auditing, and authentication purposes.

How Does HIPAA Apply to Email?

While you may be accustomed to Google's email services, using them and
staying HIPAA-compliant is not that simple.

HIPAA regulations are purposely vague to give
businesses flexibility in how they protect patient information. This
allows them to use the technology and processes that suit their unique
situations.

This lack of clarity can make the regulations confusing, but it serves a
purpose, because the appropriate protections for one company may be
completely different to those of another. There are certain practices that
may not be necessary for compliance, but they can make some aspects of the
regulation easier to meet.

Encryption

HIPAA regulations state that PHI should be encrypted "whenever deemed
appropriate." The requirements will vary depending on each company's size,
complexity, software, hardware, technical infrastructure, the risks that
it faces and the costs of various security measures.

The Department of Health and Human Services states that when PHI is
transmitted from one point to another it must be protected in a manner
commensurate with the associated risk. Risk analyses should be undertaken,
and communications should be encrypted where ever there is a significant
risk of unauthorized access.

At the very least, emails containing PHI need to be encrypted once they
leave the company firewall. While doing this can make some businesses
compliant, it is far from the best approach. Many companies find it more
beneficial to go beyond the bare-bones expectations of HIPAA and implement
National Institute of Standards and Technology (NIST) compliant encryption
instead.

NIST
guidelines recommend using the TLS protocol to protect PHI and prevent
unauthorized access. For complete end-to-end email encryption, S/MIME and
OpenPGP enable both encryption and digital signatures, which can
authenticate the contents and provide confidentiality.

Following the NIST guidelines can be more beneficial than just complying
with the HIPAA minimums. If PHI is accessed in an unauthorized manner, you
may be obliged to report it to the relevant parties. If the information is
encrypted to NIST standards, it is generally not considered insecure PHI,
meaning that it does not need to be reported or the consequences of a
breach are significantly diminished.

Business Associate Agreement

HIPAA's Privacy Rule includes provisions for how companies can work
alongside other businesses. If ePHI will be involved in the collaboration
between the two businesses, they must sign a business associate agreement
(BAA) beforehand.

These agreements are contracts that stipulate the terms under which PHI
can be processed by the other company, the business associate. They
require the business associate to have adequate safeguards in place to
protect the PHI, specify how the business associate may use the PHI,
stipulate that they must not disclose the information, as well as placing
several other conditions.

If you use an external email provider to send ePHI, you will need to
sign a BAA with them to be HIPAA compliant. This agreement will
legally bind them to treat the PHI of your customers appropriately.

Gmail vs G Suite

When asking whether Gmail is HIPAA compliant, we need to be certain of
which Google service we are talking about. Gmail is Google's personal
email option that many people have used at some stage of their lives.

It is not possible to make Gmail HIPAA compliant, because Google will
not sign a BAA for Gmail users. Another issue is Google's automated
processing -- they essentially scan every email and use the data for
marketing purposes -- which obviously goes against HIPAA requirements.

Google also offers G Suite, formerly known as Google Apps. It is a paid
service which is targeted towards businesses rather than individuals. It
is possible to be HIPAA-compliant with G Suite, but the process isn't
particularly straight-forward or cheap.

The minimum monthly G Suite plan currently goes for $5 per user, but it
is not automatically configured to be HIPAA-compliant. Once you sign your
BAA, you still need to set it up properly to meet the regulations. The
BAA leaves most of the responsibility up to the users, and the necessary
steps towards compliance can be confusing.

To make G Suite HIPAA-compliant, you need to make sure that all of your
messages are encrypted during transit, and that those using non-compliant
hosts can also send secure messages to you. Google does not provide any
native email encryption solution. Everyone using G Suite for
HIPAA-compliant email must purchase email encryption through a third party
and configure G Suite to relay their outbound email through that
encryption gateway provider.

These factors make G Suite a complicated and expensive option for
HIPAA-compliant email. You may find that an email service that is tailored
towards HIPAA-compliance is an easier and cheaper option. LuxSci's Secure Email safeguards your ePHI and
offers a number of extra security features.

Combining G Suite with Third Party Smart Hosting

While it can be inconvenient and expensive to become HIPAA-compliant
with G Suite, some users may be too accustomed to the interface to make the
switch. One option that enables users to keep the Google email client and
also makes it easier to meet the regulations is to use LuxSci's Smarthost
service. This allows you to route your G Suite email through our email
servers.

It's easy to integrate LuxSci's Smart Hosting with G Suite. You just
need a LuxSci email account with users that correspond to your G Suite
users. Once smart hosting is enabled in LuxSci, your outbound email flows
though our servers, without the need to configure each user.

Using LuxSci's Smart Hosting gives you outbound email encryption and
other email processing and content scanning features, and a potentially
better IP reputation. It also enables you to archive your emails, helping
you keep the necessary records to
comply with HIPAA.

LuxSci's Smart Hosting offers its users TLS security as well as
authentication. Our advanced plan also offers outbound email encryption,
support for HIPAA-compliant sending, and WebMail.

Making Gmail HIPAA-Compliant

Although regular Gmail cannot be HIPAA compliant, it is certainly
possible to meet the regulations while using Google's paid service, G
Suite. Unfortunately, it can be complicated and relatively expensive to
run, so many users may want to look at a dedicated HIPAA-compliant email
service, such as LuxSci.

If you are committed to making your G Suite compliant with HIPAA
regulations, you may find that it is best to use our third party solution,
LuxSci Smart Host. It's easy to integrate and makes HIPAA-compliant email
much less stressful.

eBook: HIPAA-compliant Email Basics

Safeguarding your healthcare practice and protecting patient privacy

After being a long time customer (under several different companies), I haven't had any problems with my LuxSci services, and I bet you folks don't hear enough that you're doing a spectacular job running the hardest service on the Internet. I rarely think about LuxSci, as my mail just works, which ultimately means absolute success in my book. Keep it up!"